Data security in a converged network: Part 3
By Joel A. Pogar, Siemens Information and Communication Networks Inc.
AUGUST 07, 2003

As the conclusion to this series, I am recommending best practices for deploying a voice-over-IP (VOIP) system in a security-conscious environment. I'll also share my opinions on Session Initiation Protocol (SIP) vs. H.323 and offer some final insight on the adoption of VOIP in the enterprise.

Based on the technology available today, what would you recommend to secure a VOIP environment? Keep in mind that there is no such thing as a secure environment. As security professionals, it's our job to minimize risk. To minimize the security risks in a VOIP environment, I recommend the following:

Virtual LANs: Make use of virtual LANs to segregate VOIP from data traffic. The virtual LAN will give you some quality-of-service benefits as well as add another layer of complexity for an attacker trying to sniff or capture packets off the network. Keeping voice and data on separate virtual LANs is a good idea for increasing security and performance. Unauthorized devices or spoofing can be mitigated if the switch/router can deny forwarding packets for devices with Media Access Control or IP addresses without matching lists of allowed devices. However, this measure is invalidated with softphones running on PCs (desktop-based devices that make and receive VOIP-based telephone calls), since these are allowed devices that reside on the data network.

In addition, the best practice for securing a virtual LAN for voice is to control the traffic between the voice and data virtual LAN using filtering or firewalls. This can prevent denial-of-service attacks and spoofing as well as provide general filtering that limits malicious footprinting.

Finally, it's a good idea to use RFC 1918 addresses for IP phones to make external scanning for voice devices very difficult and to ensure that no packets can ever be routed out of the corporate network.

Encryption: Where possible, implement encryption through virtual private networks or any method available to you. Encryption has the potential to delay voice packets and adversely affect the performance of VOIP on your network, especially if there are multiple encryption points. However, as long your network is operating efficiently, the overhead of the encryption should have no impact on the performance of the VOIP system. You can minimize the risk to voice quality even more by employing hardware crypto systems rather than those performed in software.

Direct firewall support: If VOIP traffic will be traversing a firewall, make sure your firewall is capable of direct support for SIP or H.323. If you have to open a port to allow these protocols through, then your firewall doesn't adequately support VOIP.

Use of reverse proxies: Segment your VOIP traffic from your data traffic and consider using a multimedia gateway or reverse proxy. These devices offer greater security and are designed to handle VOIP traffic more efficiently than a traditional firewall.

Secure operating system of call-handling software: Use a commercial scanning tool to probe the call servers in your VOIP system. If any critical or high-level vulnerabilities arise, contact your vendor to have them corrected as soon as possible. Care should be taken to allow only necessary services to run and to limit the number of listening ports that could be attacked. This might warrant placing core VOIP devices in a safe zone behind a firewall or a router with access filters.

Routine monitoring: Managed services are a good idea if you don't have the resources to keep an eye on your network. It also makes sense when your VOIP system becomes mission-critical. You should establish daily, weekly and quarterly milestones of activity to watch for. This ensures that your system is performing adequately and that your VOIP hasn't been compromised.

Sound practices: Observe sound security practices. Strong passwords, antivirus protection and reliable backup are all part of a good data security program. If you have a good program already in place, then you have that much of an advantage when implementing VOIP.

Do I need an intrusion-detection system (IDS) on my VOIP network? It certainly wouldn't hurt. However, in my experience, I've seen IDS systems generate a substantial amount of false positives on a voice network. Many, but not all, IDS systems use pattern matching to detect anomalies. To an IDS system, voice traffic is just a series of ones and zeros. It's inevitable that the conversion of voice to a data value for network transport will match some IDS signature and generate an alert. If you choose to use IDS on your voice network, be aware that a larger number of false positives can be generated and considerable grooming may be required to have the IDS system operate effectively. If your IDS system has the ability to disconnect potential intruders, this could disrupt voice calls if they have been incorrectly assessed as an attack by the IDS system.

Of the two most used VOIP protocols, SIP and H.323, which is more secure? From a security perspective, both protocols are fairly equal. It's very difficult to say one is more secure than the other. They both offer authentication and encryption features within the protocol, but few vendors are leveraging the complete capabilities of either protocol. They also share a common vulnerability in their signaling or call setup. As we have discussed previously, call signaling is crucial to VOIP communications, and disrupting or attacking the signaling process could be a denial-of-service attack or a way to fraudulently use the IP-private branch exchange. Although they both have pros and cons, we would feel very comfortable recommending either of the protocols based solely on their security capabilities. Packetizer has a very good, side-by-side comparison of the two protocols.

Will security issues slow the adoption of VOIP technologies? Probably not. Although several organizations have delayed implementing VOIP technologies until the security impact to the organization could be analyzed, this delay has been only a few weeks in duration and is negligible in the overall adoption rate. Many organizations quickly realize the issues that have been presented in this series and concluded that no additional security risks are introduced through the implementation of VOIP.

Joel A. Pogar is national practice manager, Information Security, Siemens Information and Communication Networks Inc.

CW Part3